Security Does NOT Equal Compliance

I was all set to go another direction with this blog today, but then I read a quote from a Gartner analyst that got me thinking.

“Security does not equal compliance. [Global Payments] may have been compliant at time of exam, but not at time of the breach.” We need to constantly be assessing PCI compliance.”

This, of course is going back to my blog earlier this week discussing the how one of the largest payment processing companies got hacked and left more than 1.5 million credit cards exposed. Whether or not they caught the breach in time is immaterial. It is something that should have never happened.

But approaching the issue from the standpoint of lax compliance, how many companies achieved compliance at one point, but because of a mountain of other concerns, hair-on-fire issues and the pressures of general system performance let the compliance component slide. Not necessarily on purpose, but just enough to leave the door open to problems that potentially blindside a company.

Major commercial brands, like Visa, require merchants and processors to attain and maintain PCI compliance. To those uncertain, PCI is Payment Card Industry. If you run any sort of ecommerce or transact any business over your servers that require the transmittal of credit card or payment information (or if you just store the data) you must be in compliance with certain standards monitored by the Payment Card Industry Security Standards Council. Doesn’t matter if you’re a massive multi-national enterprise or the local dog grooming shop…if you transact business over the Internet, you must be in compliance—even if you use third party payment processors.

Now most IT professionals are acutely aware of the requirements and all the burdens that go with ensuring this sensitive data is secure to the standards set forth by the PCISSC. But awareness and active compliance are two different things. There are so many moving parts in a modern IT architecture that sometimes you might have all the security measures in place, but still might not be in compliance.

Since this is a blog about the cloud, I want to approach the issue in terms of how to best use this means of virtualization. And we can also extrapolate that the same concept can be applied to many of the compliance requirements including Sarbanes-Oxley, HIPAA and others and that when I speak of the cloud I do include public, private and hybrid clouds.

Generally, the key components of most compliance requirements come down to assessment (audit), remediation and reporting. From the standpoint of the cloud, and more specifically security-as-a-service, much of this can be automated. This is not to say “set it and forget it.” But by configuring your SIEM and log management set up to constantly monitor every hit, ping, phish, log-on or intrusion against your network you can see patterns of what is (and what is not) likely a threat. Then the system alerts you and depending on your definition of a threat can take immediate action to neutralize a threat or escalate the issue for further analysis. Then of course, the creation of automatic reports closes the compliance circle.

It is very important to recognize that even if you have all the pieces in place—you have SIEM, Log Management, IDM, etc…that compliance is more about situational awareness than the individual silos of information. It is how it the entire collective of data from a wide variety of sources is interpolated, correlated and reported upon. You may have strong intrusion detection/protection; you might have strong network traffic analysis, you might have state-of the art authentication controls, but if you audit each on an island, you still run the risk of potential issues falling through the cracks. The sign of a mature, compliant enterprise is how you can granularly analyze the big picture. One flag in itself might not be troubling, but when correlated and seen in context with minor anomalies in other seemingly unrelated sections, you can properly recognize (and therefore properly remediate) threats. THIS is situational awareness and THIS is what compliance means. It’s having the audit process and controls in place and obviously a cloud-security configuration makes this not only considerably more affordable, but much easier to manage.

A good place to start of what is needed for compliance is the Cloud Security Alliance. In general, there is nearly 100 individual control specifications. And when considering a cloud-security vendor, they should be well versed in providing this level of audit. Some of the areas include Information System regulatory mapping, data leakage prevention mechanisms and processes, independent reviews and assessments, data governance retention and storage procedures, OWASP standards, remote user multi-factor authentication and various encryption, data segmentation, data integrity, access restrictions/controls requirements…obviously many too many to list. Granted, achieving and maintaining compliance can be its own full time job.

Active compliance can be a drain. It takes time, dedication and resources away from what may seem to be higher priority tasks. This is why the cloud makes so much sense. It removes much of the burden without sacrificing any of the necessary gravitas that protects your IT assets. And for most companies, it is simply more economical. But simply moving security management to the cloud does not in itself mean compliance. One needs assurances that the proper controls are in place, the audits (SAS 70, ISO 27001|27002 standards) are performed and the processes meet the needs of your industry requirements while securely keeping your infrastructure safe. Remember, achieving compliance is one thing…but the key is maintaining it.

But in the end, you may have all the right security components in place, but still may not be in compliance. Security does not equal compliance. And as much as we grumble; as much as we think it distracts from larger issues, it is still a requirement for safe and secure business practice—or else your company might pay a similar price to Global Payments.